PyPI adds domain resurrection protections for account recovery
Security Tool/ServiceFirst reported
Last updated
Happening score
H score
22
Summary
Hide ▲
Show ▼
PyPI introduced new protections against domain resurrection attacks that could let attackers hijack maintainer accounts through password resets tied to expired domains. The platform now checks verified-email domains with Domainr’s Status API, marks risky addresses unverified, and blocks their use for account recovery. The rollout matters because compromised maintainer accounts can be used to publish malicious Python packages into the supply chain.
Timeline
-
19.08.2025 23:08 1 articles · 9mo ago
PyPI adds domain resurrection protections for account recovery
Initial DisclosureInitial scans began in **April** to measure how many verified-email domains were nearing expiration and to test the new lifecycle checks. After that evaluation, PyPI moved to a **June 2025** rollout with **daily scans**.
Show sources
- PyPI now blocks domain resurrection attacks used for hijacking accounts — www.bleepingcomputer.com — 19.08.2025 23:08